Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.

Friday, February 4, 2011

Packet Analysis With xtractr

I've mentioned xtractr by Mu Dynamics before, and over the last week or so I've been using it more and more to look at EOI's. If you've not used it before, here's a little overview of this tool.

xtractr runs on Linux (the latest version is 4.5.40426) and can be downloaded here.

You will need an account (free) with Mu Dynamics to use the query services.

xtractr can be used in stand-alone mode, which means your pcaps, queries and labels never leave your machine. It can also be used Mu Studio to convert the data into a stateful test case.

More than one person can look at the data at a time, and if you need to look at more than one capture at the same time, you can run multiple instances of xtractr.

The free lite version can index a capture of either 10 million packets or 1 Gig of pcaps.

That said, here's what you'll need to do to use xtractr. After creating your account, and downloading the tarball and installing, you're ready to index your packets. You'll want full length packet captures here if you're going to do network forensics.

Create yourself a workspace directory of whatever name you want, and copy (or capture, if you're testing) your pcap there. I'd suggest giving it a meaningful name, so you know later what that pcap is without having to run it.

Make a sub-directory, again, whatever you wish to call it, to store your indices in.
Now you need to index the pcap. The syntax is: xtractr index (index_directory) --mode (basic|forensics) (pcap-file).

So if we had a pcap called "dns-traffic.2.4.11.pcap" and a sub-directory called "index_dns", and we wanted full data (forensic), we would run: xtractr index index_dns --mode forensics dns-traffic.2.4.11.pcap . Depending on how big your pcap is, this might take a little while to run, xtractr will give you a progress meter while running and return to prompt when down. You can omit the mode parameter, by the way, and xtractr will default to basic.
(Continued - Blogger is not co-operating today)